Firm or Company: 

Sport Tours International Inc 
6944 N Port Washington Rd 
Milwaukee Wl 53217-3923 


Guidelines: 

1. Show Purchase Order Number on all 
shipments and correspondence. 

2. Do not include state, local or Federal Excise 
Taxes ILLINOIS SALES TAX EXEMPTION 

ID NUMBER: E9991-3399-07 

3. Inquiries, advice or changes must be sent to the 
Purchasing Department. 


Purchase Order 


Illinois State 

UNIVERSITY 

lUinois*first public university 


Ship To: 

Illinois State University 
Central Receiving PO# BF198067 
2016 Warehouse Road 
Normal, IL 61790-1520 



P,0. Number: BF198067 

P.O. Date: 02/12/19 
Terms: Net 30 
FOB Point Destination 
Req Number 0052230 
Ship by: 


Invoice To: 

Illinois State University 
Purchasing Department 
Campus Box 1220 
Normal, IL 61790-1220 


Special Instructions 
PER ATTACHED AGREEMENT 


Description 


Men's Basketball Foreign Tour: 
8/7/19-8/17/19 


Part # Quantity Unit Unit Price Amount 



For more Information, contact Stacy L. Brown at 
slbrow2@llstu.edu, 309-438-1045 or fax 309-438-5555 


Total $110,000.00 
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ILLINOIS STATE UNIVERSITY 
ITALY INTERNATIONAL TOUR 
MEN'S BASKETBALL 
ROME * FLORENCE * VENICE 
August 7-17,2019 

itTVve. Board ot TrvtsAe.es el 
'This contract for an international Tour (hereinafter Tour) made and entered into on November 8,2018 by and between 
Sport Tours international, Inc. (hereinafter STl) and the Illinois State University (hereinafter Illinois State) stipulates: 

Soort Tours International Responsibilities 

Transportation: Nonstop airfare from Chicago to Rome, home from Venice. All transportation while in Italy. 
Accommodations: Four-star hotels while in Italy for nine nights. Suite upgrade far head coach. 

Meals: Breakfast dally. 

Excursions/Sightseeing: Tour of Venice, boat ride in Venice, Bike tour of Florence, Accademla in 

Florence, Boat ride in Florence, Tour of Rome, Tour of Colosseum, Vatican and Sistine Chapel, Scavenger Hunt In Rome. 

Competition: Arrangements for three games. 

Tour Escorts: Company escort 8c European guide will accompany the group. 

Illinois State University Responsibilities 

Transportation: Ground transportation to and from domestic airport. 

Travel and Rooming Lists: Provide full travel party and rooming list with alt names and information In order to purchase 
airfare and secure hotel reservations by June 1,2019. 

Official Travel Party: Price Is based off a minimum of 25 people in the travel party. 

Passports: Obtain a passport that is valid for a minimum of 90 days after return date to the U.S. 

International National Team Members: Confirm that travelers have the proper documentation needed to enter Europe 
and reenter the UJ>. 

Travel Insurance: Secure travel and medical Insurance for each member of the travel party. 

Meals: Lunch & Dinner. 

Miscellaneous: incidental costs including, but not limited to, airline name change and cancelation fees, airline hag ga ga 
costs, phone cafis, Wi-Fi and Internet, laundry, shopping, additional sightseeing and special requests. 


m°Ms 

THR 



Cost: $4,395 per person double occupancy; $4,995 per person single occupancy 


Payment Schedule 

$25,000 non-refundabie payment due within 30 days of signed contract 
$40,000 due April 15,2019 


r* Remaining balance due July 15,2019 . p. 

** sVioJuV yncwjLfi p£/i MK* |tuujrruuvJt 


(M) 

STl initials 


llllnofe State Initials 
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Additional Terms 

In the event of a circumstance, beyond the control of ST1, that requires Illinois State to stay additional nights on the Tour 


and/or modify Its flight itinerary, Illinois State will be responsible for any additional associated costs. 

litt’versvfy Csjr\jt\co3r»on« <wcl AdcUtionaJ 'farms «*id tJafrrcSicjarta 
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If Sport Tours International cancels the Tour (except for reasons noted below in "Force Majeure"}, Illinois State will receive 
all money paid and will be released from all conditions of this contract 


If Illinois State cancels its participation In the Tour all deposits and payments will be forfeited. In addition, Illinois State is 
responsible for paying documented unrecoverable expenses if total cost Is greater than the deposits received. 

Illinois State will be responsible for any costs associated with individual rooming Hst or travel list name changes and 
cancelations after the original list has been submitted. Any individual cancellations within 30 days of departure will be 
charged the full contracted price. 


Force Majeure: Sport Tours International Is not responsible forthe cancellation or delay of theTour If caused by an act of 
war, hostility, or sabotage; act of God; electrical, Internet telecommunication outage or transportation Interruption, 
government restriction, or other event outside its reasonable control. If theTour is cancelled due to Force Majeure, Illinois 
State will receive all deposits and payments up to the date of cancellation less documented, unrecoverable expenses. 
Both parties will make reasonable efforts to mitigate the effect of a force majeure event 



The Board Trufi'fceest 

UHnosS. V/ 



AthleticDl r etlui o i Designe e <Piftfcfroy of FWcJhases 
Date: l/lL/tl 
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Certifications 


Vendor acknowledges and agrees that compliance with this subsection in its entirety for the term of any resulting contract and 
any renewals is a material requirement and condition of the contract. By executing the contract Vendor certifies compliance with 
this subsection in its entirety, and is under a continuing obligation to remain in compliance and report any non-compliance. 

This subsection, in its entirety, also applies to subcontractors used on this contract. Vendor shall include these Standard 
Certifications in any subcontract used in the performance of the contract using the Standard Subcontractor Certification form 
provided by the State. 

If the contract extends over multiple fiscal years, including the initial term and all renewals, Vendor and its subcontractors shall 
confirm compliance with this section in the manner and format determined by the State by the date specified by the State and in 
no event later than July 1 of each year that the contract remains in effect. 

If the Parties determine that any certification in this section is not applicable to the contract it may be stricken without affecting 
the remaining subsections. 

1. As part of each certification, Vendor acknowledges and agrees that should Vendor or its subcontractors provide false 
information, or fail to be or remain in compliance with the Standard Certification requirements, one or more of the 
following sanctions will apply: 

■ the contract may be void by operation of law, 

• the State may void the contract, and 

the Vendor and it subcontractors may be subject to one or more of the following: suspension, debarment, denial 
of payment, civil fine, or criminal penalty. 

Identifying a sanction or failing to identify a sanction in relation to any of the specific certifications does not waive 
imposition of other sanctions or preclude application of sanctions not specifically identified. 

2 . Vendor certifies it and its employees will comply with applicable provisions of the United States Civil Rights Act, Section 
504 of the Federal Rehabilitation Act, the Americans with Disabilities Act, and applicable rules in performance of this 
contract. 

1. This applies to individuals, sole proprietorships, partnerships and LLCs, but is otherwise not applicable. Vendor, if an 
individual, sole proprietor, partner or an individual as member of a LLC, certifies he/she is not in default on an educational 
loan. 5 ILCS 385/3 

4. Vendor certifies that is has reviewed and will comply with the Department of Employment Security Law (20 ILCS 
1005/1005-47) as applicable. 

5. This applies only to certain service contracts and does NOT include contracts for professional or artistic services. To 
the extent there was a current Vendor providing the services covered by this contract and the employees of that Vendor 
who provided those services are covered by a collective bargaining agreement, Vendor certifies (i) that it will offer to 
assume the collective bargaining obligations of the prior employer, including any existing collective bargaining agreement 
with the bargaining representative of any existing collective bargaining u nit or units performing substantially similar work 
to the services covered by the contract subject to its bid or offer; and (ii) that it shall offer employment to all employees 
currently employed in any existing bargaining unit who perform substantially similar work to the work that will be 
performed pursuant to this contract. This does not apply to heating, air conditioning, plumbing and electrical service 
contracts. 30 ILCS 500/25-80 

6 . Vendor certifies it has neither been convicted of bribing or attempting to bribe an officer or employee of the State of 
Illinois or any other State, nor made an admission of guilt of such conduct that is a matter of record. 30 ILCS 500/50-5 
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.7. If Vendor has been convicted of a felony, Vendor certifies at least five years have passed after the date of completion of the 
sentence for such felony, unless no person held responsible by a prosecutor's office for the facts upon which the 
conviction was based continues to have any involvement with the business. BO ILCS 500/50-10 

.8. If Vendor or any officer, director, partner, or other managerial agent of Vendor has been convicted of a felony under the 
Sarbanes-Oxley Act of 2002, or a Class B or Class 2 felony under the Illinois Securities Law of 1953, Vendor certifies at 
least five years have passed since the date of the conviction. Vendor further certifies that it is not barred from being 
awarded a contract. 30 ILCS 500/50-10.5 

9. Vendor certifies it is not barred from having a contract with the State based upon violating the prohibitions related to 
either submitting/writing specifications or providing assistance to an employee of the State of Illinois by reviewing, 
drafting, directing, or preparing any invitation for bids, a request for proposal, or request of information, or similar 
assistance (except as part of a public request for such information). 30 ILCS 500/50-10.5(e) 

10. Vendor certifies that it and its affiliates are not delinquent in the payment of any debt to the State (or if delinquent have 
entered into a deferred payment plan to pay the debt. 30 ILCS 500/50-11,50-60 

11. Vendor certifies that it and all affiliates shall collect and remit Illinois Use Tax on all sales of tangible personal property 
into the State of Illinois in accordance with provisions of the Illinois Use Tax Act. 30 ILCS 500/50-12 

.12. Vendor certifies that it has not been found by a court or the Pollution Control Board to have committed a willful or knowing 
violation of the Environmental Protection Act within the last five years, and is therefore not barred from being awarded 
a contract. 30 ILCS 500/50-14 

13. Vendor certifies it has neither paid any money or valuable thing to induce any person to refrain from bidding on a State 
contract, nor accepted any money or other valuable thing, or acted upon the promise of same, for not bidding on a State 
contract. 30 ILCS 500/50-25 

14. Vendor certifies it has read, understands and is not knowingly in violation of the "Revolving Door" provisions of the Illinois 
Procurement Code. 30 ILCS 500/50-30 

15. Vendor certifies that if it hires a person required to register under the Lobbyist Registration Act to assist in obtaining any 
State contract, that none of the lobbyist's costs, fees, compensation, reimbursements or other remuneration will be 
billed to the State. 30 ILCS 500/50-38 

16. Vendor certifies that it will not retain a person or entity to attempt to influence the outcome of a procurement decision 
for compensation contingent in whole or in part upon the decision or procurement. 30 ILCS 500/50-38 

17. Vendor certifies it will report to the Illinois Attorney General and the Chief Procurement Officer any suspected collusion 
or other anti-competitive practice among any bidders, offerors, contractors, proposers, or employees of the State. 30 
ILCS 500/50-40, 50-45,50-50 

18. Vendor certifies that if it is awarded a contract through the use of the preference required by the Procurement of 
Domestic Products Act, then it shall provide products pursuant to the contract or subcontract that are manufactured in 
the United States. 30 ILCS 517 

19. Vendor certifies steel products used or supplied in the performance of a contract for public works shall be manufactured 
or produced in the United States, unless the executive head of the procuring Agency/University grants an exception. 30 
ILCS 565 

20. Drug Free Workplace 

3.20.1 If Vendor employs 25 or more employees and this contract is worth more than $5,000, Vendor certifies it will 
provide a drug free workplace pursuant to the Drug Free Workplace Act 
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3.20.2 If Vendor is an individual and this contract is worth more than $5000, Vendor certifies it shall not engage in the 
unlawful manufacture, distribution, dispensation, possession, or use of a controlled substance during the performance 
of the contract. 30ILCS580 

21 . Vendor certifies that neither Vendor nor any substantially owned affiliate is participating or shall participate in an 
international boycott in violation of the U.S. Export Administration Act of 1979 or the applicable regulations of the United 
States Department of Commerce. 30ILC5 582 

22 . Vendor certifies that no foreign-made equipment, materials, or supplies furnished to the State under the contract have 
been or will be produced in whole or in part by forced labor or indentured labor under penal sanction. 30ILCS 583 

23. Vendor certifies that no foreign-made equipment, materials, or supplies furnished to the State under the contract have 
been produced in whole or in part by the labor of any child under the age of 12. 30 ILCS 584 

24. This applies to information technology contracts and is otherwise not applicable. Vendor certifies that information 
technology, including electronic information, software, systems and equipment, developed or provided under this 
contract comply with the applicable requirements of the Illinois Information Technology Accessibility Act Standards as 
published at {www.dhs.state.il.us/iitaa). 30 ILCS 587 

25 . This only applies to vendors who own residential buildings but is otherwise not applicable. Vendor certifies, if it owns 
residential buildings, that any violation of the Lead Poisoning Prevention Act has been mitigated. 410 ILCS 45 

26 . Vendor certifies it has not been convicted of the offense of bid rigging or bid rotating or any similar offense of any state 
or of the United States. 720 ILCS 5/33 E-3, E-4 

27 . Vendor certifies it complies with the Illinois Department of Human Rights Act and rules applicable to public contracts, 
which include providing equal employment opportunity, refraining from unlawful discrimination, and having written 
sexual harassment policies. 775 ILCS 5/2-105 

2S Vendor certifies it does not pay dues to or reimburse or subsidize payments by its employees for any dues or fees to any 
"discriminatory club." 775 ILCS 25/2 

29 . Vendor warrants and certifies that it and, to the best of its knowledge, its subcontractors have and will comply with 
Executive Order No. 1 (2007). The Order generally prohibits Vendors and subcontractors from hiring the then-serving 
Governor's family members to lobby procurement activities of the State, or any other unit of government in Illinois 
including local governments if that procurement may result in a contract valued at over $25,000. This prohibition also 
applies to hiring for that same purpose any former State employee who had procurement authority at any time during 
the one-year period preceding the procurement lobbying activity. 

30 . Vendor certifies that if an individual, sole proprietor, partner or an individual as a member of a LLC, he/she has not 
received an early retirement incentive prior to 1993 under Section 14-108.3 or 16-133.3 of the Illinois Pension Code or 
an early retirement incentive on or after 2002 under Section 14-108.3 or 16-133.3 of the Illinois Pension Code. 30 ILCS 
105/15a; 40 ILCS 5/14-108.3; 40 ILCS 5/16-133 

31. Vendor certifies that it has read, understands, and is in compliance with the registration requirements of the Elections 
Code (10 ILCS 5/9-35) and the restrictions on making political contributions and related requirements of the Illinois 
Procurement Code. Vendor will not make a political contribution that will violate these requirements. 30 ILCS 500/20160 
and 50-37. 


32. A person (other than an individual acting as a sole proprietor) must be a duly constituted legal entity and authorized to 
transact business or conduct affairs in Illinois prior to submitting a bid or offer. If you do not meet these criteria, then 
your bid or offer will be disqualified. 30 ILCS 500/20-43 
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Additional Terms: 


Assignment and Subcontracting: (30ILCS 500/20-120) Any contract may not be assigned or transferred in whole or 
in part by Vendor without the prior written consent of the University. For purposes of this section, subcontractors are 
those specifically hired by the Vendor to perform all or part of the work covered by the contract. Vendor shall describe 
the names and addresses of all subcontractors to be utilized by Vendor in the performance of the resulting contract, 
together with a description of the work to be performed by the subcontractor and the anticipated amount of money 
that each subcontractor is expected to receive pursuant to a subsequent contract. Vendor shall notify the University in 
writing of any additional or substitute subcontractors hired during the term of a resulting contract, and shall supply the 
names and addresses and the expected amount of money that each new or replaced subcontractor will receive 
pursuant to the Contract. All subcontracts must include the same certifications and disclosures that Vendor must make 
as a condition of their contract. 

Audit / Retention of Records: (30 ILCS 500/20-65) Vendor and its subcontractors shall maintain books and records 
relating to the performance of the resulting contract or subcontract and necessary to support amounts charged to the 
University. Books and records, including information stored electronically, shall be maintained by the Vendor for a 
period of three years from the later of the date of final payment under the contract or completion of the contract, and 
by the subcontractor for a period of three years from the later of final payment under the term or completion of the 
subcontract. If federal funds are used to pay contract costs, the Vendor and its subcontractors must retain its records 
for a minimum of five years after completion of work. Books and records required to be maintained under this section 
shall be available for review or audit by representatives of: the University, the Auditor General, the Executive Inspector 
General, the Chief Procurement Officer, State of Illinois internal auditors or other governmental entities with 
monitoring authority, upon reasonable notice and during normal business hours. Vendor and its subcontractors shall 
cooperate fully with any such audit and with any investigation conducted by any of these entities. Failure to maintain 
books and records required by this section shall establish a presumption in favor of the University for the recovery of 
any funds paid by the University under the contract for which adequate books and records are not available to support 
the purported disbursement. The Vendor or subcontractors shall not impose a charge for audit or examination of the 
Vendor's books and records. 

Availability of Appropriation (30 ILCS 500/20-60): Any resulting contract is contingent upon and subject to the 
availability of funds. The University, at its sole option, may terminate or suspend this contract, in whole or in part, 
without penalty or further payment being required, if the Illinois General Assembly or the federal funding source fails 
to make an appropriation sufficient to pay such obligation. If funds needed are insufficient for any reason, the 
University has discretion on which contracts will be funded. 

Transportation Sustainability Procurement Program Act (30 ILCS 530/10 (b): All contracts for freight, small package 
delivery, and any transportation of cargo require providers to report the amount of energy the service provider 
consumed to provide those services to the State and the amount of associated greenhouse gas emissions, including 
energy use and greenhouse gases emitted as a result of the provider's use of electricity in its facilities and the energy 
use and greenhouse gas emissions by the service provider’s subcontractors in the performance of those services. 
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Data Security Addendum- GDPR Version 

Vendor acknowledges and agrees that compliance with this Addendum in its entirety for the term of the contract 
and any renewals is a material requirement and condition of this contract If the Parties determine that any clause 
in this section is not applicable to this contract it may be stricken without affecting the remaining subsections. 

UNLESS SPECIFICALLY EXEMPTED, THE FOLLOWING CONFIDENTIALITY AND DATA SECURITY REQUIREMENTS 
APPLY TO UNIVERSITY DATA MADE AVAILABLE TO THE VENDOR UNDER THE TERMS OF THIS AGREEMENT* 

REQUIRED CONDITIONS: 

1. Order of Precedence : 

This Version shall only become used if the Agreement incorporates transfers of Personal Data, as defined 
in this Section, from Data Subjects from the European Union, the European Economic Area and/or their 
member states, Switzerland and the United Kingdom to countries which do not ensure an adequate level 
of data protection within the meaning of Data Protection Laws of the foregoing territories, to the extent 
such transfers are subject to such Data Protection Laws ( excluding any transactions subject to the US 
Privacy Shield Framework). In the event of any such transfer, the provisions of this Addendum and the 
Standard Contractual Clauses shall take precedence over any contrary provisions of this Agreement. 

2. Definitions : The following terms shall be defined as follows for purposes of the Agreement. 

a. "Data Controller" means the entity which determines the purposes and means of the Processing 
of Personal Data. 

b* "Data Processor" or "data importer" meaning the processor who agrees to receive from the 
University personal data intended for processing on his behalf after the transfer in accordance with 
his instructions and the terms of the Clauses and who is not subject to a third country's system 
ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;. 

c* "Data Protection Laws" means the Directive, the General Data Protection Regulation, Local Data 
Protection Laws, any subordinate legislation and regulation implementing the General Data 
Protection Regulation, and all Privacy Laws. 

d. "Directive" means the EU Data Protection Directive 95/46/EC (as amended). 

e* "General Data Protection Regulation" means the European Union Regulation on the protection 
of individuals with regard to the processing of personal data and on the free movement of such 
data, and repealing Directive 95/46/EC. 

f. Personal data \ 'Special categories of data \ ' Process/processing * 'Controller \ 1 Processor ' and 
'Sub-Processor*, ' Data subject* and ' Supervisory authority* shall have the same meaning as in 
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the 
protection of individuals with regard to the processing of personal data and on the free movement 
of such data; 

g. "Personal Data Breach" means any accidental or unlawful destruction, loss, alteration, 
unauthorized disclosure of, or access to Personal Data subject to this agreement. 

h. "University Personal Data" refers to any Personal Data provided by the University to the Vendor. 

i. "Standard Contractual Clauses" means Clauses attached as Attachment pursuant to the 
European Commission's decision of 5 February 2010 on Standard Contractual Clauses for the 
transfer of personal data to processors established in third countries which do not ensure an 
adequate level of data protection. 

3* Processing 

a. University is the Controller of University Personal Data. Vendor is appointed as the Processor for 
University Personal Data. 

b. A list of categories of Data Subjects, types of Client Personal Data, Special Categories of Personal 
Data and the nature, purpose, and subject matter of the processing activities is set out in the 
Standard Contractual Clauses Appendix 1. The duration of the Processing corresponds to the 
duration of the Agreement. 
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c. Vendor agrees to Process University Personal Data according to the University's written 
instructions as defined by this Agreement. If Vendor believes any instruction violates the GDPR 
or other applicable data protection regulations, Vendor will inform University without undue 
delay and may suspend the performance until University has modified or confirmed the 
lawfulness of the requests in writing. 

d. Vendor will comply with all Data Protection Laws applicable to Processors in providing Services 
under this Agreement. 

e. Vendor represents and warrants that it requires all of its personnel authorized to Process 
University Personal Data to commit themselves to confidentiality and not Process such University 
Personal Data for any other purposes, except on instructions from University or unless required 
by applicable law. 

4. Transborder Data Processing 

a. By agreeing to this Addendum, University is entering into the EU Standard Contractual Clauses as 
defined with the Vendor and/or Subprocessors established outside either the European 
Economic Area or countries considered by the European Commission to have adequate 
protection. 

b. Vendor and University agree that the EU Standard Contractual Clauses, including any claims 
arising from them, are subject to the terms set forth in the Agreement, including the exclusions 
and limitations of liability. In case of conflict, the EU Standard Contractual Clauses shall prevail. 

5. Data Subject Rights and Requests 

a. To the extent permitted by law, Vendor inform University of requests from Data Subjects 
exercising their Data Subject rights (e.g. rectification, deletion and blocking of data) addressed 
directly to Vendor regarding University Personal Data. University shall be responsible to respond 
to such requests of Data Subjects. Vendor will reasonably assist University in responding such 
Data Subject requests in accordance with this Agreement. 

b. Subject to the terms of the Agreement, University may claim from Vendor amounts paid to a 
Data Subject for a violation of their Data Subject rights caused by Vendor's breach of its 
obligations under GDPR. 

6. University Data Security Protections : Vendor shall provide commercially reasonable and adequate 
protection on its network and systems to protect University data from unauthorized access, acquisition, 
destruction, use modification or disclosure that shall include but not be limited to include firewalls and 
intrusion detection/prevention, authentication and encryption capabilities (including mobile devices, USB 
storage devices and backup media) in accordance with standard industry practices. Vendor will 
implement and maintain technical and organizational measures set forth in the Standard Contract Clauses 
Appendix 2 

7. Third-Party Assurances / Subcontractors: 

a. Vendor shall notify University of any Subprocessors, as that term is defined under Data 
Protection Laws, it intends to use in providing Services. Vendor may only release University 
Personal Data to a Subprocessor (e.g. subcontractor, affiliate or other third party) with the 
designated University authorized official's prior written consent and provided that such 
subcontractor, affiliate, or other third party agrees to comply with all provisions of this 
Agreement. 

b. Within 30 days after Vendor's notification of its intention to use a Subprocessor, University can 
object to the addition of a Subprocessor on the basis that such addition would cause University 
to violate applicable legal requirements. University's objection shall be in writing and include 
University's specific reasons for its objection and options to mitigate, if any. 

c. If University does not object within such period the respective Subprocessor may be 
commissioned to Process University Personal Data. Vendor shall impose substantially similar data 
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protection obligations as set out in this Agreement on any approved Subprocessor prior to the 
Subprocessor Processing any University Personal Data, 

d. If University's legitimately objects to the addition of a Subprocessor and Vendor cannot 
reasonably accommodate University's objection Vendor will notify University, University may 
terminate the affected Services by providing Vendor with a written notice within one month of 
Vendor's notice. 

e. Vendor will not disclose University Personal Data to any other third party, unless authorized by 
the University or required by law. If a government or Supervisory Authority demands access to 
University Personal Data, Vendor will notify University prior to disclosure, unless prohibited by 
law. 

8. Vendor Monitoring/Audit : 

a. With prior written notice, University (or its agent or affiliate) may audit Vendor's use of the 
University Data to ensure that Vendor is in compliance with the terms of this Agreement. Upon 
University's written request, Vendor will provide University or its mandated auditor with the 
most recent certifications and/or summary audit report(s), which Vendor has procured to 
regularly test, assess and evaluate the effectiveness of its technical and organizational security 
measures. Vendor will keep complete and accurate records of all use of University data, 
including a log file of all employees with access to University Data. Vendor will reasonably 
cooperate with University by providing available information. University may at its own expense 
and upon no less than five working days written notice audit Vendor's use, access, or 
maintenance of the University Data. As part of such audit, University is entitled to obtain 
physical and electronic data concerning use of University's data upon submitting a reasonable 
request to Vendor. Such audit will not interfere unreasonably with Vendor's business activities, 
will be conducted no more often than once per calendar year at a location, unless a previous 
audit disclosed a material breach. If an audit reveals the Vendor has breached this Agreement, 
University may immediately terminate the Agreement. 

b. Jf further information is needed by University to comply with its own or other Controllers audit 
obligations or a competent Supervisory Authority's request, University will inform Vendor in 
writing to enable Vendor to provide such information or to grant University access to it. To the 
extent it is not possible to otherwise satisfy an audit obligation mandated by applicable law, only 
legally mandated entities (such as a governmental regulatory agency having oversight of 
University's operations) the University or its mandated auditor may conduct an onsite visit of the 
facilities used to provide the Service, during normal business hours and only in a manner that 
causes minimal disruption to Vendor's business. Each party will bear its own costs in furtherance 
of this paragraph. 

9. Return/Destruction of Data: 

i. As applicable and in accordance with law, within a reasonable time period after 
termination of this Agreement, for any reason, Vendor shall return or destroy (as 
specified by the University) all University data and indexing information received from 
University, or created or received by Vendor on behalf of the University. This provision 
shall apply to data in the possession of subcontractors or agents of Vendor. 

ii. Destruction of University data will be conducted in accordance with standard industry 
practices deemed acceptable by the University and Illinois State Record Act 
requirements. 

iii. Vendor shall provide proof or certification of destruction of the data to the University's 
Information Security Officer. 

10. Breach: 

Vendor will notify University without undue delay after becoming aware of a Personal Data Breach with 
respect to the Services. University will promptly investigate the Personal Data Breach and will assist 
University as set out in this Agreement. 
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a. Notice: Vendor, including any subcontractors, affiliates, and third parties, shall report in the 
most expedient timeframe possible but no later than 48 hours to the University Information 
Security Officer {!) any breach of security involving, or potentially involving, University Data, or (ii) 
any use or disclosure of University Data other than the Permitted Uses or breach of federal and 
state privacy laws. Vendor shall fully cooperate with the University with respect thereto. The 
University Information Security Officer can be contacted e-mailing 
informationsecuritvofficeiS5Hllinoisstate.edu . Vendor will assist University by technical and 
organizational measures, insofar as possible, for the fulfillment of University's obligation to 
comply with the rights of Data Subjects and in ensuring compliance with University's obligations 
relating to the security of Processing, the notification of a Personal Data Breach and the Data 
Protection Impact Assessment, taking into account the information available to Vendor. 
University will make a written request for any assistance referred to in this DPA. Vendor will 
charge Client no more than a reasonable charge to perform such assistance such charges to be 
set forth in a quote and agreed in writing by the parties. 

b. Indemnification: Vendor shall indemnify, defend and hold University harmless from and against 
all third-party claims, actions, suits and proceedings resulting from the release of any University 
Data, including the University's costs and reasonable attorneys' fees which arise as a result of 
Vendor's failure to safeguard University Personal Data as provided in this Agreement. Any 
limitations of liability contained in the Agreement shall not be applicable to Vendor's obligations 
pursuant to this section. 
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ADDITIONAL DATA SECURITY TERMS & CONDITIONS: 


Please check those terms and conditions applicable to this Agreement. 

□ Vendor Certifications: Prior to performing services which require access to, transmission of and/or storage of 
Personally Identifiable & Protected University Data, Vendor will provide a third party certification of compliance 
with standard industry practices in a form acceptable to the University Information Security Officer. 

□ FERPA. Vendor hereby acknowledge and agrees to comply with the limitations on the use and re-disclosure of 
Personally Identifiable & Protected University Data from education records as defined in 34 CFR § 99.00 et seq. 
Vendor further acknowledge and agrees tfiat it shall maintain the confidentiality, and shall not re-disclose, 
personally Identifiable Information from education records except as authorized by the University in writing. 

□ Health Insurance Portability and Accountability Act l"HIPAA"l : If the Vendor is a "covered entity" as that term 
is defined under HIPAA, the Vendor shall enter into a Business Associate Agreement with the University. If the 
Vendor is not a "covered entity" as that term is defined under HIPAA, the Vendor acknowledges i) any students 
working at the Vendor's site or under the Vendor's supervision and control are part of the Vendor's "workforce" as 
defined in HIPAA Privacy Regulations at 43 C.F.R. 160.103, and ii) no Business Associate agreement is required 
between the University and Facility. The Facility will provide the necessary HIPAA training to students and 
students will be expected to comply with HIPAA and any other confidentiality requirements of the Facility. 

□ PCI Standards: If. in the course of providing services to University, Vendor has access to or will collect, access, 
use, store, process, dispose of or disclose credit, debit or other payment cardholder information, Vendor shall at all 
times remain in compliance with the Payment Card Industry Data Security Standard ("PCI DSS") requirements, 
including remaining aware at all times of changes to the PCI DSS and promptly implementing all procedures and 
practices as may be necessary to remain in compliance with the PCI DSS, in each case, at Service Provider's sole 
cost and expense. 
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